mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-15 23:25:07 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers/usb/misc
History
Johan Hovold 44efc269db USB: adutux: fix use-after-free on disconnect 
The driver was clearing its struct usb_device pointer, which it used as
an inverted disconnected flag, before deregistering the character device
and without serialising against racing release().

This could lead to a use-after-free if a racing release() callback
observes the cleared pointer and frees the driver data before
disconnect() is finished with it.

This could also lead to NULL-pointer dereferences in a racing open().

Fixes: f08812d5eb ("USB: FIx locks and urb->status in adutux (updated)")
Cc: stable <stable@vger.kernel.org>     # 2.6.24
Reported-by: syzbot+0243cb250a51eeefb8cc@syzkaller.appspotmail.com
Tested-by: syzbot+0243cb250a51eeefb8cc@syzkaller.appspotmail.com
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20190925092913.8608-1-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-10-04 11:02:59 +02:00
..
sisusbvga USB: sisusbvga: Remove unneeded variable 2019-06-10 18:03:09 +02:00
adutux.c USB: adutux: fix use-after-free on disconnect 2019-10-04 11:02:59 +02:00
appledisplay.c Merge 4.20-rc6 into usb-next 2018-12-10 10:19:08 +01:00
chaoskey.c USB: chaoskey: Use kasprintf() over strcpy()/strcat() 2018-02-22 15:17:05 +01:00
cypress_cy7c63.c USB: cypress_cy7c63: convert to use dev_groups 2019-08-09 07:55:44 +02:00
cytherm.c USB: cytherm: convert to use dev_groups 2019-08-09 07:55:44 +02:00
ehset.c USB: misc: Remove redundant license text 2017-11-04 11:55:38 +01:00
emi26.c USB: misc: Remove redundant license text 2017-11-04 11:55:38 +01:00
emi62.c USB: misc: Remove redundant license text 2017-11-04 11:55:38 +01:00
ezusb.c USB: misc: Remove redundant license text 2017-11-04 11:55:38 +01:00
ftdi-elan.c usb: ftdi-elan: fix possible condition with no effect (if == else) 2019-06-03 15:21:57 +02:00
idmouse.c USB: misc: Remove redundant license text 2017-11-04 11:55:38 +01:00
iowarrior.c usb: iowarrior: fix deadlock on disconnect 2019-08-08 12:43:18 +02:00
isight_firmware.c USB: misc: Remove redundant license text 2017-11-04 11:55:38 +01:00
Kconfig USB: rio500: Remove Rio 500 kernel driver 2019-10-04 10:53:36 +02:00
ldusb.c *: convert stream-like files from nonseekable_open -> stream_open 2019-05-06 17:46:41 +03:00
legousbtower.c usb: legousbtower: use irqsave() in USB's complete callback 2018-06-28 19:36:07 +09:00
lvstest.c USB: lvstest: convert to use dev_groups 2019-08-09 07:55:44 +02:00
Makefile USB: rio500: Remove Rio 500 kernel driver 2019-10-04 10:53:36 +02:00
trancevibrator.c USB: trancevibrator: convert to use dev_groups 2019-08-09 07:55:45 +02:00
usb251xb.c usb: usb251xb: Reallow swap-dx-lanes to apply to the upstream port 2019-07-25 11:16:19 +02:00
usb3503.c usb: misc: usb3503: get optional clock by devm_clk_get_optional() 2019-04-19 14:24:25 +02:00
usb4604.c USB: misc: Remove redundant license text 2017-11-04 11:55:38 +01:00
usb_u132.h USB: misc: Remove redundant license text 2017-11-04 11:55:38 +01:00
usblcd.c USB: add SPDX identifiers to all remaining files in drivers/usb/ 2017-11-04 11:48:02 +01:00
usbsevseg.c USB: usbsevseg: convert to use dev_groups 2019-08-09 07:55:45 +02:00
usbtest.c usb: misc: usbtest: add super-speed isoc support 2019-02-13 13:03:23 +02:00
uss720.c usb: misc: uss720: Fix two sleep-in-atomic-context bugs 2018-09-05 14:36:53 +02:00
yurex.c usb: yurex: Fix use-after-free in yurex_delete 2019-08-05 17:27:52 +02:00